From 726295df81f6ae9cd9d445aedd920669e20efd41 Mon Sep 17 00:00:00 2001
From: Carolina Roncaglia <carolina.roncaglia@conductorone.com>
Date: Tue, 14 Apr 2026 12:23:33 -0300
Subject: [PATCH 1/2] docs: add --sync-sso-user-last-login to README, remove
 orphaned SCIM fields

- Add `--sync-sso-user-last-login` flag to README CLI usage section.
  The flag was introduced in PR #98 (CXP-15) but was never added to the
  README. Requires cloudtrail:LookupEvents IAM permission.

- Remove orphaned SCIMToken, SCIMEndpoint, SCIMEnabled fields from
  Config struct in pkg/connector/connector.go. These were left as dead
  code after SCIM support was fully removed in PR #104 (CXP-232).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 README.md                  | 1 +
 pkg/connector/connector.go | 3 ---
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5908de37..3f51cccb 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,7 @@ Flags:
       --skip-full-sync                                   This must be set to skip a full sync ($BATON_SKIP_FULL_SYNC)
       --sync-resources strings                           The resource IDs to sync ($BATON_SYNC_RESOURCES)
       --sync-secrets                                     Whether to sync secrets or not ($BATON_SYNC_SECRETS)
+      --sync-sso-user-last-login                         Enable fetching last login time for SSO users from CloudTrail (requires cloudtrail:LookupEvents permission) ($BATON_SYNC_SSO_USER_LAST_LOGIN)
       --ticketing                                        This must be set to enable ticketing support ($BATON_TICKETING)
       --use-assume                                       Enable support for assume role ($BATON_USE_ASSUME)
   -v, --version                                          version for baton-aws
diff --git a/pkg/connector/connector.go b/pkg/connector/connector.go
index 48ae4306..55aab605 100644
--- a/pkg/connector/connector.go
+++ b/pkg/connector/connector.go
@@ -42,9 +42,6 @@ type Config struct {
 	GlobalAwsSsoEnabled     bool
 	ExternalID              string
 	RoleARN                 string
-	SCIMToken               string
-	SCIMEndpoint            string
-	SCIMEnabled             bool
 	SyncSecrets             bool
 	IamAssumeRoleName       string
 	SyncSSOUserLastLogin    bool

From d4a63427a5c48a6b66e4c979d9b36951406aa5d7 Mon Sep 17 00:00:00 2001
From: Carolina Roncaglia <carolina.roncaglia@conductorone.com>
Date: Tue, 14 Apr 2026 12:29:48 -0300
Subject: [PATCH 2/2] docs: remove SCIM references from connector.mdx

SCIM support was fully removed in PR #104 (CXP-232). Remove three
remaining references from docs/connector.mdx:
- UI setup step instructing users to enable the SCIM API
- BATON_SCIM_ENABLED/ENDPOINT/TOKEN env vars from the self-hosted config example
- Mention of "Enable usage of the AWS IAM Identity Center SCIM API" in
  the cross-account access setup note

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docs/connector.mdx | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/docs/connector.mdx b/docs/connector.mdx
index a04bc704..c549eab5 100644
--- a/docs/connector.mdx
+++ b/docs/connector.mdx
@@ -50,7 +50,7 @@ Follow the relevant set of instructions below to set up the AWS connector for IA
 
 To sync IAM data (like users, roles, and groups) from multiple AWS child accounts, C1 uses a secure, read-only mechanism called **cross-account access**. This setup works by allowing a central role in your root account to temporarily assume a specific role in each child account. This method ensures that the connector can gather the necessary data without storing credentials or requiring permanent access.
 
-If you're using this setup, make sure to click **Enable support for AWS Organizations** when setting up the connector in the C1 web UI, and DO NOT click **Enable support for AWS IAM Identity Center** or **Enable usage of the AWS IAM Identity Center SCIM API**.
+If you're using this setup, make sure to click **Enable support for AWS Organizations** when setting up the connector in the C1 web UI, and DO NOT click **Enable support for AWS IAM Identity Center**.
 
 **In order to use the connector to gather IAM AWS data, you'll need to configure each sub-account to have a role with a trust policy.** There are two options here:
 
@@ -533,9 +533,6 @@ The permissions policy below is broken into several sections to align with these
     **Optional.** Click to **Enable support for AWS IAM Identity Center** and select the region for AWS IAM Identity Center from the dropdown.
     </Step>
     <Step>
-    **Optional.** To enable C1 to sync the statuses of SSO accounts, click to **Enable usage of the AWS IAM Identity Center SCIM API** and enter the SCIM endpoint and access token in the relevant fields.
-    </Step>
-    <Step>
     **Optional.** Enable **Sync secrets** to display them on the [Inventory page](/product/admin/inventory).
     </Step>
     <Step>
@@ -623,10 +620,6 @@ stringData:
   BATON_GLOBAL_AWS_SSO_ENABLED: true
   BATON_GLOBAL_AWS_SSO_REGION: <Region for SSO identities (default is "us-east-1")>
 
-  # Optional: Include to enable C1 to sync the statuses of SSO accounts
-  BATON_SCIM_ENABLED: true
-  BATON_SCIM_ENDPOINT: <SCIM endpoint>
-  BATON_SCIM_TOKEN: <SCIM access token>
 ```
 
 If support for AWS Organizations is enabled, the IAM Role must be created in the management (formerly called master) account of the AWS Organization. If the IAM Role is created on a member account and support for AWS Organizations is enabled, the integration will return a 400 error.